Sunday, October 6, 2013

I'm really trying to understand the difference between OpenID and OAuth? Maybe they're two totally separate things?
share|improve this question

7 Answers

up vote222down voteaccepted
OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication).
OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user.
The blog post "OpenID versus OAuth from the user’s perspective" has a simple comparison of the two from the user's perspective and "OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing" has more information about it.

OpenID versus OAuth from the user’s perspective

Published on  and tagged with oauth  openid
In this article I want to show the differences between OpenID and its younger cousin OAuth by providing for each a typical user scenario.
First the scenario for OpenID:
  • User wants to access his account on
  • (the “Relying Party” in OpenID lingo) asks the user for his OpenID
  • User enters his OpenID
  • redirects the user to his OpenID provider
  • User authenticates himself to the OpenID provider
  • OpenID provider redirects the user back to
  • allows the user to access his account
And now the scenario for OAuth:
  • User is on and wants to import his contacts from
  • (the “Consumer” in OAuth lingo) redirects the user to (the “Service Provider”)
  • User authenticates himself to (which can happen by using OpenID)
  • asks the user whether he wants to authorize to access his contacts
  • User makes his choice
  • redirects the user back to
  • retrieves the contacts from
  • informs the user that the import was successful
From those scenarios we can see that OpenID is about authentication (i.e. I can identify myself with an url) whereas OAuth is about authorization (i.e. I can grant permission to access my data on some website to another website, without providing this website the authentication information for the original website).
I hope this helps to keep apart those two standards :)

No comments: